@backstage-community/plugin-rbac-backend 5.3.1 → 5.4.0

package/dist/validation/policies-validation.cjs.js

@@ -7,14 +7,14 @@ var pluginRbacCommon = require('@backstage-community/plugin-rbac-common');
 
 const validateSource = async (source, roleMetadata) => {
   if (!roleMetadata) {
-    return void 0;
+    return undefined;
   }
   if (roleMetadata.source !== source && roleMetadata.source !== "legacy") {
     return new Error(
       `source does not match originating role ${roleMetadata.roleEntityRef}, consider making changes to the '${roleMetadata.source.toLocaleUpperCase()}'`
     );
   }
-  return void 0;
+  return undefined;
 };
 function validatePolicy(policy) {
   const err = validateEntityReference(policy.entityReference);
@@ -38,7 +38,7 @@ function validatePolicy(policy) {
       `'effect' has invalid value: '${policy.effect}'. It should be: '${pluginPermissionCommon.AuthorizeResult.ALLOW.toLocaleLowerCase()}' or '${pluginPermissionCommon.AuthorizeResult.DENY.toLocaleLowerCase()}'`
     );
   }
-  return void 0;
+  return undefined;
 }
 function validateRole(role) {
   if (!role.name) {
@@ -57,7 +57,7 @@ function validateRole(role) {
       return err;
     }
   }
-  return void 0;
+  return undefined;
 }
 function isValidEffectValue(effect) {
   return effect === pluginPermissionCommon.AuthorizeResult.ALLOW.toLocaleLowerCase() || effect === pluginPermissionCommon.AuthorizeResult.DENY.toLocaleLowerCase();
@@ -106,7 +106,7 @@ function validateEntityReference(entityRef, role) {
       `The namespace '${entityRefCompound.namespace}' in the entity reference must be a string that is sequences of [a-z0-9] separated by [-], at most 63 characters in total`
     );
   }
-  return void 0;
+  return undefined;
 }
 async function validateGroupingPolicy(groupPolicy, roleMetadataStorage, source) {
   if (groupPolicy.length !== 2) {
@@ -148,7 +148,7 @@ async function validateGroupingPolicy(groupPolicy, roleMetadataStorage, source)
       `Unable to validate role ${groupPolicy}. Cause: ${err.message}`
     );
   }
-  return void 0;
+  return undefined;
 }
 const checkForDuplicatePolicies = async (fileEnf, policy, policyFile) => {
   const duplicates = await fileEnf.getFilteredPolicy(0, ...policy);
@@ -172,7 +172,7 @@ const checkForDuplicatePolicies = async (fileEnf, policy, policyFile) => {
       `Duplicate policy: ${policy[0]}, ${policy[1]}, ${policy[2]} with different effect found in the file ${policyFile}`
     );
   }
-  return void 0;
+  return undefined;
 };
 const checkForDuplicateGroupPolicies = async (fileEnf, policy, policyFile) => {
   const duplicates = await fileEnf.getFilteredGroupingPolicy(0, ...policy);
@@ -181,7 +181,7 @@ const checkForDuplicateGroupPolicies = async (fileEnf, policy, policyFile) => {
       `Duplicate role: ${policy} found in the file ${policyFile}`
     );
   }
-  return void 0;
+  return undefined;
 };
 
 exports.checkForDuplicateGroupPolicies = checkForDuplicateGroupPolicies;

package/dist/validation/policies-validation.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"policies-validation.cjs.js","sources":["../../src/validation/policies-validation.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { CompoundEntityRef, parseEntityRef } from '@backstage/catalog-model';\nimport { NotAllowedError } from '@backstage/errors';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\n\nimport { Enforcer } from 'casbin';\n\nimport {\n  isValidPermissionAction,\n  PermissionActionValues,\n  Role,\n  RoleBasedPolicy,\n  Source,\n} from '@backstage-community/plugin-rbac-common';\n\nimport {\n  RoleMetadataDao,\n  RoleMetadataStorage,\n} from '../database/role-metadata';\n\n/**\n * validateSource validates the source to the role that is being modified. This includes comparing the source from the\n * originating role to the source that the modification is coming from.\n * We do this to ensure consistency between permissions and roles and where they are originally defined.\n * This is a strict comparison where the source of all new roles (grouping policies) and permissions must match\n * the source of the first role that was created.\n * We are not strict for permission policies defined with an originating role source of configuration.\n * @param source The source in which the modification is coming from\n * @param roleMetadata The original role that was created\n * @returns An error in the event that the source does not match the originating role\n */\nexport const validateSource = async (\n  source: Source,\n  roleMetadata: RoleMetadataDao | undefined,\n): Promise<Error | undefined> => {\n  if (!roleMetadata) {\n    return undefined; // Role does not exist yet, there is no conflict with the source\n  }\n\n  if (roleMetadata.source !== source && roleMetadata.source !== 'legacy') {\n    return new Error(\n      `source does not match originating role ${\n        roleMetadata.roleEntityRef\n      }, consider making changes to the '${roleMetadata.source.toLocaleUpperCase()}'`,\n    );\n  }\n\n  return undefined;\n};\n\n// This should be called on add and edit and delete\nexport function validatePolicy(policy: RoleBasedPolicy): Error | undefined {\n  const err = validateEntityReference(policy.entityReference);\n  if (err) {\n    return err;\n  }\n\n  if (!policy.permission) {\n    return new Error(`'permission' field must not be empty`);\n  }\n\n  if (!policy.policy) {\n    return new Error(`'policy' field must not be empty`);\n  } else if (!isValidPermissionAction(policy.policy)) {\n    return new Error(\n      `'policy' has invalid value: '${\n        policy.policy\n      }'. It should be one of: ${PermissionActionValues.join(', ')}`,\n    );\n  }\n\n  if (!policy.effect) {\n    return new Error(`'effect' field must not be empty`);\n  } else if (!isValidEffectValue(policy.effect)) {\n    return new Error(\n      `'effect' has invalid value: '${\n        policy.effect\n      }'. It should be: '${AuthorizeResult.ALLOW.toLocaleLowerCase()}' or '${AuthorizeResult.DENY.toLocaleLowerCase()}'`,\n    );\n  }\n\n  return undefined;\n}\n\nexport function validateRole(role: Role): Error | undefined {\n  if (!role.name) {\n    return new Error(`'name' field must not be empty`);\n  }\n\n  let err = validateEntityReference(role.name, true);\n  if (err) {\n    return err;\n  }\n\n  if (!role.memberReferences || role.memberReferences.length === 0) {\n    return new Error(`'memberReferences' field must not be empty`);\n  }\n\n  for (const member of role.memberReferences) {\n    err = validateEntityReference(member);\n    if (err) {\n      return err;\n    }\n  }\n  return undefined;\n}\n\nfunction isValidEffectValue(effect: string): boolean {\n  return (\n    effect === AuthorizeResult.ALLOW.toLocaleLowerCase() ||\n    effect === AuthorizeResult.DENY.toLocaleLowerCase()\n  );\n}\n\nfunction isValidEntityName(name: string): boolean {\n  const validNamePattern = /^[a-zA-Z0-9]+([._-][a-zA-Z0-9]+)*$/;\n  return validNamePattern.test(name) && name.length <= 63;\n}\n\nfunction isValidEntityNamespace(namespace: string): boolean {\n  const validNamespacePattern = /^[a-z0-9]+(-[a-z0-9]+)*$/;\n  return validNamespacePattern.test(namespace) && namespace.length <= 63;\n}\n\n// We supports only full form entity reference: [<kind>:][<namespace>/]<name>\nexport function validateEntityReference(\n  entityRef?: string,\n  role?: boolean,\n): Error | undefined {\n  if (!entityRef) {\n    return new Error(`'entityReference' must not be empty`);\n  }\n\n  let entityRefCompound: CompoundEntityRef;\n  try {\n    entityRefCompound = parseEntityRef(entityRef);\n  } catch (err) {\n    return err as Error;\n  }\n\n  const entityRefFull = `${entityRefCompound.kind}:${entityRefCompound.namespace}/${entityRefCompound.name}`;\n  if (entityRefFull !== entityRef) {\n    return new Error(\n      `entity reference '${entityRef}' does not match the required format [<kind>:][<namespace>/]<name>. Provide, please, full entity reference.`,\n    );\n  }\n\n  if (role && entityRefCompound.kind !== 'role') {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. Supported value should be \"role\"`,\n    );\n  }\n\n  if (\n    entityRefCompound.kind !== 'user' &&\n    entityRefCompound.kind !== 'group' &&\n    entityRefCompound.kind !== 'role'\n  ) {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. List supported values [\"user\", \"group\", \"role\"]`,\n    );\n  }\n\n  if (!isValidEntityName(entityRefCompound.name)) {\n    return new Error(\n      `The name '${entityRefCompound.name}' in the entity reference must be a string that is sequences of [a-zA-Z0-9] separated by any of [-_.], at most 63 characters in total`,\n    );\n  }\n\n  if (!isValidEntityNamespace(entityRefCompound.namespace)) {\n    return new Error(\n      `The namespace '${entityRefCompound.namespace}' in the entity reference must be a string that is sequences of [a-z0-9] separated by [-], at most 63 characters in total`,\n    );\n  }\n\n  return undefined;\n}\n\nexport async function validateGroupingPolicy(\n  groupPolicy: string[],\n  roleMetadataStorage: RoleMetadataStorage,\n  source: Source,\n): Promise<Error | undefined> {\n  if (groupPolicy.length !== 2) {\n    return new Error(`Group policy should have length 2`);\n  }\n\n  const member = groupPolicy[0];\n  let err = validateEntityReference(member);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  const parent = groupPolicy[1];\n  err = validateEntityReference(parent);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  if (member.startsWith(`role:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. rbac-backend plugin doesn't support role inheritance.`,\n    );\n  }\n  if (member.startsWith(`group:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. Group inheritance information could be provided only with help of Catalog API.`,\n    );\n  }\n  if (member.startsWith(`user:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. User membership information could be provided only with help of Catalog API.`,\n    );\n  }\n\n  const metadata = await roleMetadataStorage.findRoleMetadata(parent);\n\n  err = await validateSource(source, metadata);\n  if (metadata && err) {\n    return new NotAllowedError(\n      `Unable to validate role ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n\n  return undefined;\n}\n\nexport const checkForDuplicatePolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredPolicy(0, ...policy);\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate policy: ${policy} found in the file ${policyFile}`,\n    );\n  }\n\n  const flipPolicyEffect = [\n    policy[0],\n    policy[1],\n    policy[2],\n    policy[3] === 'deny' ? 'allow' : 'deny',\n  ];\n\n  // Check if the same policy exists but with a different effect\n  const dupWithDifferentEffect = await fileEnf.getFilteredPolicy(\n    0,\n    ...flipPolicyEffect,\n  );\n\n  if (dupWithDifferentEffect.length > 0) {\n    return new Error(\n      `Duplicate policy: ${policy[0]}, ${policy[1]}, ${policy[2]} with different effect found in the file ${policyFile}`,\n    );\n  }\n\n  return undefined;\n};\n\nexport const checkForDuplicateGroupPolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredGroupingPolicy(0, ...policy);\n\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate role: ${policy} found in the file ${policyFile}`,\n    );\n  }\n  return undefined;\n};\n"],"names":["isValidPermissionAction","PermissionActionValues","AuthorizeResult","parseEntityRef","NotAllowedError"],"mappings":";;;;;;;AA6Ca,MAAA,cAAA,GAAiB,OAC5B,MAAA,EACA,YAC+B,KAAA;AAC/B,EAAA,IAAI,CAAC,YAAc,EAAA;AACjB,IAAO,OAAA,KAAA,CAAA;AAAA;AAGT,EAAA,IAAI,YAAa,CAAA,MAAA,KAAW,MAAU,IAAA,YAAA,CAAa,WAAW,QAAU,EAAA;AACtE,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,0CACE,YAAa,CAAA,aACf,qCAAqC,YAAa,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA;AAAA,KAC9E;AAAA;AAGF,EAAO,OAAA,KAAA,CAAA;AACT;AAGO,SAAS,eAAe,MAA4C,EAAA;AACzE,EAAM,MAAA,GAAA,GAAM,uBAAwB,CAAA,MAAA,CAAO,eAAe,CAAA;AAC1D,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA;AAAA;AAGT,EAAI,IAAA,CAAC,OAAO,UAAY,EAAA;AACtB,IAAO,OAAA,IAAI,MAAM,CAAsC,oCAAA,CAAA,CAAA;AAAA;AAGzD,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAACA,wCAAwB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAClD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,gCACE,MAAO,CAAA,MACT,2BAA2BC,uCAAuB,CAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAC9D;AAAA;AAGF,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAAC,kBAAmB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CACE,6BAAA,EAAA,MAAA,CAAO,MACT,CAAA,kBAAA,EAAqBC,sCAAgB,CAAA,KAAA,CAAM,iBAAkB,EAAC,CAAS,MAAA,EAAAA,sCAAA,CAAgB,IAAK,CAAA,iBAAA,EAAmB,CAAA,CAAA;AAAA,KACjH;AAAA;AAGF,EAAO,OAAA,KAAA,CAAA;AACT;AAEO,SAAS,aAAa,IAA+B,EAAA;AAC1D,EAAI,IAAA,CAAC,KAAK,IAAM,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAgC,8BAAA,CAAA,CAAA;AAAA;AAGnD,EAAA,IAAI,GAAM,GAAA,uBAAA,CAAwB,IAAK,CAAA,IAAA,EAAM,IAAI,CAAA;AACjD,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA;AAAA;AAGT,EAAA,IAAI,CAAC,IAAK,CAAA,gBAAA,IAAoB,IAAK,CAAA,gBAAA,CAAiB,WAAW,CAAG,EAAA;AAChE,IAAO,OAAA,IAAI,MAAM,CAA4C,0CAAA,CAAA,CAAA;AAAA;AAG/D,EAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACpC,IAAA,IAAI,GAAK,EAAA;AACP,MAAO,OAAA,GAAA;AAAA;AACT;AAEF,EAAO,OAAA,KAAA,CAAA;AACT;AAEA,SAAS,mBAAmB,MAAyB,EAAA;AACnD,EACE,OAAA,MAAA,KAAWA,uCAAgB,KAAM,CAAA,iBAAA,MACjC,MAAW,KAAAA,sCAAA,CAAgB,KAAK,iBAAkB,EAAA;AAEtD;AAEA,SAAS,kBAAkB,IAAuB,EAAA;AAChD,EAAA,MAAM,gBAAmB,GAAA,oCAAA;AACzB,EAAA,OAAO,gBAAiB,CAAA,IAAA,CAAK,IAAI,CAAA,IAAK,KAAK,MAAU,IAAA,EAAA;AACvD;AAEA,SAAS,uBAAuB,SAA4B,EAAA;AAC1D,EAAA,MAAM,qBAAwB,GAAA,0BAAA;AAC9B,EAAA,OAAO,qBAAsB,CAAA,IAAA,CAAK,SAAS,CAAA,IAAK,UAAU,MAAU,IAAA,EAAA;AACtE;AAGgB,SAAA,uBAAA,CACd,WACA,IACmB,EAAA;AACnB,EAAA,IAAI,CAAC,SAAW,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAqC,mCAAA,CAAA,CAAA;AAAA;AAGxD,EAAI,IAAA,iBAAA;AACJ,EAAI,IAAA;AACF,IAAA,iBAAA,GAAoBC,4BAAe,SAAS,CAAA;AAAA,WACrC,GAAK,EAAA;AACZ,IAAO,OAAA,GAAA;AAAA;AAGT,EAAM,MAAA,aAAA,GAAgB,GAAG,iBAAkB,CAAA,IAAI,IAAI,iBAAkB,CAAA,SAAS,CAAI,CAAA,EAAA,iBAAA,CAAkB,IAAI,CAAA,CAAA;AACxG,EAAA,IAAI,kBAAkB,SAAW,EAAA;AAC/B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,qBAAqB,SAAS,CAAA,2GAAA;AAAA,KAChC;AAAA;AAGF,EAAI,IAAA,IAAA,IAAQ,iBAAkB,CAAA,IAAA,KAAS,MAAQ,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,kCAAA;AAAA,KAC5C;AAAA;AAGF,EACE,IAAA,iBAAA,CAAkB,SAAS,MAC3B,IAAA,iBAAA,CAAkB,SAAS,OAC3B,IAAA,iBAAA,CAAkB,SAAS,MAC3B,EAAA;AACA,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,iDAAA;AAAA,KAC5C;AAAA;AAGF,EAAA,IAAI,CAAC,iBAAA,CAAkB,iBAAkB,CAAA,IAAI,CAAG,EAAA;AAC9C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,UAAA,EAAa,kBAAkB,IAAI,CAAA,qIAAA;AAAA,KACrC;AAAA;AAGF,EAAA,IAAI,CAAC,sBAAA,CAAuB,iBAAkB,CAAA,SAAS,CAAG,EAAA;AACxD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,eAAA,EAAkB,kBAAkB,SAAS,CAAA,yHAAA;AAAA,KAC/C;AAAA;AAGF,EAAO,OAAA,KAAA,CAAA;AACT;AAEsB,eAAA,sBAAA,CACpB,WACA,EAAA,mBAAA,EACA,MAC4B,EAAA;AAC5B,EAAI,IAAA,WAAA,CAAY,WAAW,CAAG,EAAA;AAC5B,IAAO,OAAA,IAAI,MAAM,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAGtD,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA;AAC5B,EAAI,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACxC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KACvE;AAAA;AAEF,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA;AAC5B,EAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACpC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KACvE;AAAA;AAEF,EAAI,IAAA,MAAA,CAAO,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AAC9B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,uDAAA;AAAA,KACzC;AAAA;AAEF,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,MAAA,CAAQ,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC9D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,gFAAA;AAAA,KACzC;AAAA;AAEF,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,KAAA,CAAO,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC7D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,8EAAA;AAAA,KACzC;AAAA;AAGF,EAAA,MAAM,QAAW,GAAA,MAAM,mBAAoB,CAAA,gBAAA,CAAiB,MAAM,CAAA;AAElE,EAAM,GAAA,GAAA,MAAM,cAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,EAAA,IAAI,YAAY,GAAK,EAAA;AACnB,IAAA,OAAO,IAAIC,sBAAA;AAAA,MACT,CAA2B,wBAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KAC/D;AAAA;AAGF,EAAO,OAAA,KAAA,CAAA;AACT;AAEO,MAAM,yBAA4B,GAAA,OACvC,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,iBAAkB,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA;AAC/D,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,kBAAA,EAAqB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA;AAAA,KAC7D;AAAA;AAGF,EAAA,MAAM,gBAAmB,GAAA;AAAA,IACvB,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,MAAO,CAAA,CAAC,CAAM,KAAA,MAAA,GAAS,OAAU,GAAA;AAAA,GACnC;AAGA,EAAM,MAAA,sBAAA,GAAyB,MAAM,OAAQ,CAAA,iBAAA;AAAA,IAC3C,CAAA;AAAA,IACA,GAAG;AAAA,GACL;AAEA,EAAI,IAAA,sBAAA,CAAuB,SAAS,CAAG,EAAA;AACrC,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAqB,kBAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,4CAA4C,UAAU,CAAA;AAAA,KAClH;AAAA;AAGF,EAAO,OAAA,KAAA,CAAA;AACT;AAEO,MAAM,8BAAiC,GAAA,OAC5C,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,yBAA0B,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA;AAEvE,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,gBAAA,EAAmB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA;AAAA,KAC3D;AAAA;AAEF,EAAO,OAAA,KAAA,CAAA;AACT;;;;;;;;;;"}
+{"version":3,"file":"policies-validation.cjs.js","sources":["../../src/validation/policies-validation.ts"],"sourcesContent":["/*\n * Copyright 2024 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport { CompoundEntityRef, parseEntityRef } from '@backstage/catalog-model';\nimport { NotAllowedError } from '@backstage/errors';\nimport { AuthorizeResult } from '@backstage/plugin-permission-common';\n\nimport { Enforcer } from 'casbin';\n\nimport {\n  isValidPermissionAction,\n  PermissionActionValues,\n  Role,\n  RoleBasedPolicy,\n  Source,\n} from '@backstage-community/plugin-rbac-common';\n\nimport {\n  RoleMetadataDao,\n  RoleMetadataStorage,\n} from '../database/role-metadata';\n\n/**\n * validateSource validates the source to the role that is being modified. This includes comparing the source from the\n * originating role to the source that the modification is coming from.\n * We do this to ensure consistency between permissions and roles and where they are originally defined.\n * This is a strict comparison where the source of all new roles (grouping policies) and permissions must match\n * the source of the first role that was created.\n * We are not strict for permission policies defined with an originating role source of configuration.\n * @param source The source in which the modification is coming from\n * @param roleMetadata The original role that was created\n * @returns An error in the event that the source does not match the originating role\n */\nexport const validateSource = async (\n  source: Source,\n  roleMetadata: RoleMetadataDao | undefined,\n): Promise<Error | undefined> => {\n  if (!roleMetadata) {\n    return undefined; // Role does not exist yet, there is no conflict with the source\n  }\n\n  if (roleMetadata.source !== source && roleMetadata.source !== 'legacy') {\n    return new Error(\n      `source does not match originating role ${\n        roleMetadata.roleEntityRef\n      }, consider making changes to the '${roleMetadata.source.toLocaleUpperCase()}'`,\n    );\n  }\n\n  return undefined;\n};\n\n// This should be called on add and edit and delete\nexport function validatePolicy(policy: RoleBasedPolicy): Error | undefined {\n  const err = validateEntityReference(policy.entityReference);\n  if (err) {\n    return err;\n  }\n\n  if (!policy.permission) {\n    return new Error(`'permission' field must not be empty`);\n  }\n\n  if (!policy.policy) {\n    return new Error(`'policy' field must not be empty`);\n  } else if (!isValidPermissionAction(policy.policy)) {\n    return new Error(\n      `'policy' has invalid value: '${\n        policy.policy\n      }'. It should be one of: ${PermissionActionValues.join(', ')}`,\n    );\n  }\n\n  if (!policy.effect) {\n    return new Error(`'effect' field must not be empty`);\n  } else if (!isValidEffectValue(policy.effect)) {\n    return new Error(\n      `'effect' has invalid value: '${\n        policy.effect\n      }'. It should be: '${AuthorizeResult.ALLOW.toLocaleLowerCase()}' or '${AuthorizeResult.DENY.toLocaleLowerCase()}'`,\n    );\n  }\n\n  return undefined;\n}\n\nexport function validateRole(role: Role): Error | undefined {\n  if (!role.name) {\n    return new Error(`'name' field must not be empty`);\n  }\n\n  let err = validateEntityReference(role.name, true);\n  if (err) {\n    return err;\n  }\n\n  if (!role.memberReferences || role.memberReferences.length === 0) {\n    return new Error(`'memberReferences' field must not be empty`);\n  }\n\n  for (const member of role.memberReferences) {\n    err = validateEntityReference(member);\n    if (err) {\n      return err;\n    }\n  }\n  return undefined;\n}\n\nfunction isValidEffectValue(effect: string): boolean {\n  return (\n    effect === AuthorizeResult.ALLOW.toLocaleLowerCase() ||\n    effect === AuthorizeResult.DENY.toLocaleLowerCase()\n  );\n}\n\nfunction isValidEntityName(name: string): boolean {\n  const validNamePattern = /^[a-zA-Z0-9]+([._-][a-zA-Z0-9]+)*$/;\n  return validNamePattern.test(name) && name.length <= 63;\n}\n\nfunction isValidEntityNamespace(namespace: string): boolean {\n  const validNamespacePattern = /^[a-z0-9]+(-[a-z0-9]+)*$/;\n  return validNamespacePattern.test(namespace) && namespace.length <= 63;\n}\n\n// We supports only full form entity reference: [<kind>:][<namespace>/]<name>\nexport function validateEntityReference(\n  entityRef?: string,\n  role?: boolean,\n): Error | undefined {\n  if (!entityRef) {\n    return new Error(`'entityReference' must not be empty`);\n  }\n\n  let entityRefCompound: CompoundEntityRef;\n  try {\n    entityRefCompound = parseEntityRef(entityRef);\n  } catch (err) {\n    return err as Error;\n  }\n\n  const entityRefFull = `${entityRefCompound.kind}:${entityRefCompound.namespace}/${entityRefCompound.name}`;\n  if (entityRefFull !== entityRef) {\n    return new Error(\n      `entity reference '${entityRef}' does not match the required format [<kind>:][<namespace>/]<name>. Provide, please, full entity reference.`,\n    );\n  }\n\n  if (role && entityRefCompound.kind !== 'role') {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. Supported value should be \"role\"`,\n    );\n  }\n\n  if (\n    entityRefCompound.kind !== 'user' &&\n    entityRefCompound.kind !== 'group' &&\n    entityRefCompound.kind !== 'role'\n  ) {\n    return new Error(\n      `Unsupported kind ${entityRefCompound.kind}. List supported values [\"user\", \"group\", \"role\"]`,\n    );\n  }\n\n  if (!isValidEntityName(entityRefCompound.name)) {\n    return new Error(\n      `The name '${entityRefCompound.name}' in the entity reference must be a string that is sequences of [a-zA-Z0-9] separated by any of [-_.], at most 63 characters in total`,\n    );\n  }\n\n  if (!isValidEntityNamespace(entityRefCompound.namespace)) {\n    return new Error(\n      `The namespace '${entityRefCompound.namespace}' in the entity reference must be a string that is sequences of [a-z0-9] separated by [-], at most 63 characters in total`,\n    );\n  }\n\n  return undefined;\n}\n\nexport async function validateGroupingPolicy(\n  groupPolicy: string[],\n  roleMetadataStorage: RoleMetadataStorage,\n  source: Source,\n): Promise<Error | undefined> {\n  if (groupPolicy.length !== 2) {\n    return new Error(`Group policy should have length 2`);\n  }\n\n  const member = groupPolicy[0];\n  let err = validateEntityReference(member);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  const parent = groupPolicy[1];\n  err = validateEntityReference(parent);\n  if (err) {\n    return new Error(\n      `Failed to validate group policy ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n  if (member.startsWith(`role:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. rbac-backend plugin doesn't support role inheritance.`,\n    );\n  }\n  if (member.startsWith(`group:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. Group inheritance information could be provided only with help of Catalog API.`,\n    );\n  }\n  if (member.startsWith(`user:`) && parent.startsWith(`group:`)) {\n    return new Error(\n      `Group policy is invalid: ${groupPolicy}. User membership information could be provided only with help of Catalog API.`,\n    );\n  }\n\n  const metadata = await roleMetadataStorage.findRoleMetadata(parent);\n\n  err = await validateSource(source, metadata);\n  if (metadata && err) {\n    return new NotAllowedError(\n      `Unable to validate role ${groupPolicy}. Cause: ${err.message}`,\n    );\n  }\n\n  return undefined;\n}\n\nexport const checkForDuplicatePolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredPolicy(0, ...policy);\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate policy: ${policy} found in the file ${policyFile}`,\n    );\n  }\n\n  const flipPolicyEffect = [\n    policy[0],\n    policy[1],\n    policy[2],\n    policy[3] === 'deny' ? 'allow' : 'deny',\n  ];\n\n  // Check if the same policy exists but with a different effect\n  const dupWithDifferentEffect = await fileEnf.getFilteredPolicy(\n    0,\n    ...flipPolicyEffect,\n  );\n\n  if (dupWithDifferentEffect.length > 0) {\n    return new Error(\n      `Duplicate policy: ${policy[0]}, ${policy[1]}, ${policy[2]} with different effect found in the file ${policyFile}`,\n    );\n  }\n\n  return undefined;\n};\n\nexport const checkForDuplicateGroupPolicies = async (\n  fileEnf: Enforcer,\n  policy: string[],\n  policyFile: string,\n): Promise<Error | undefined> => {\n  const duplicates = await fileEnf.getFilteredGroupingPolicy(0, ...policy);\n\n  if (duplicates.length > 1) {\n    return new Error(\n      `Duplicate role: ${policy} found in the file ${policyFile}`,\n    );\n  }\n  return undefined;\n};\n"],"names":["isValidPermissionAction","PermissionActionValues","AuthorizeResult","parseEntityRef","NotAllowedError"],"mappings":";;;;;;;AA6Ca,MAAA,cAAA,GAAiB,OAC5B,MAAA,EACA,YAC+B,KAAA;AAC/B,EAAA,IAAI,CAAC,YAAc,EAAA;AACjB,IAAO,OAAA,SAAA;AAAA;AAGT,EAAA,IAAI,YAAa,CAAA,MAAA,KAAW,MAAU,IAAA,YAAA,CAAa,WAAW,QAAU,EAAA;AACtE,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,0CACE,YAAa,CAAA,aACf,qCAAqC,YAAa,CAAA,MAAA,CAAO,mBAAmB,CAAA,CAAA;AAAA,KAC9E;AAAA;AAGF,EAAO,OAAA,SAAA;AACT;AAGO,SAAS,eAAe,MAA4C,EAAA;AACzE,EAAM,MAAA,GAAA,GAAM,uBAAwB,CAAA,MAAA,CAAO,eAAe,CAAA;AAC1D,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA;AAAA;AAGT,EAAI,IAAA,CAAC,OAAO,UAAY,EAAA;AACtB,IAAO,OAAA,IAAI,MAAM,CAAsC,oCAAA,CAAA,CAAA;AAAA;AAGzD,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAACA,wCAAwB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAClD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,gCACE,MAAO,CAAA,MACT,2BAA2BC,uCAAuB,CAAA,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,KAC9D;AAAA;AAGF,EAAI,IAAA,CAAC,OAAO,MAAQ,EAAA;AAClB,IAAO,OAAA,IAAI,MAAM,CAAkC,gCAAA,CAAA,CAAA;AAAA,GAC1C,MAAA,IAAA,CAAC,kBAAmB,CAAA,MAAA,CAAO,MAAM,CAAG,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CACE,6BAAA,EAAA,MAAA,CAAO,MACT,CAAA,kBAAA,EAAqBC,sCAAgB,CAAA,KAAA,CAAM,iBAAkB,EAAC,CAAS,MAAA,EAAAA,sCAAA,CAAgB,IAAK,CAAA,iBAAA,EAAmB,CAAA,CAAA;AAAA,KACjH;AAAA;AAGF,EAAO,OAAA,SAAA;AACT;AAEO,SAAS,aAAa,IAA+B,EAAA;AAC1D,EAAI,IAAA,CAAC,KAAK,IAAM,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAgC,8BAAA,CAAA,CAAA;AAAA;AAGnD,EAAA,IAAI,GAAM,GAAA,uBAAA,CAAwB,IAAK,CAAA,IAAA,EAAM,IAAI,CAAA;AACjD,EAAA,IAAI,GAAK,EAAA;AACP,IAAO,OAAA,GAAA;AAAA;AAGT,EAAA,IAAI,CAAC,IAAK,CAAA,gBAAA,IAAoB,IAAK,CAAA,gBAAA,CAAiB,WAAW,CAAG,EAAA;AAChE,IAAO,OAAA,IAAI,MAAM,CAA4C,0CAAA,CAAA,CAAA;AAAA;AAG/D,EAAW,KAAA,MAAA,MAAA,IAAU,KAAK,gBAAkB,EAAA;AAC1C,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACpC,IAAA,IAAI,GAAK,EAAA;AACP,MAAO,OAAA,GAAA;AAAA;AACT;AAEF,EAAO,OAAA,SAAA;AACT;AAEA,SAAS,mBAAmB,MAAyB,EAAA;AACnD,EACE,OAAA,MAAA,KAAWA,uCAAgB,KAAM,CAAA,iBAAA,MACjC,MAAW,KAAAA,sCAAA,CAAgB,KAAK,iBAAkB,EAAA;AAEtD;AAEA,SAAS,kBAAkB,IAAuB,EAAA;AAChD,EAAA,MAAM,gBAAmB,GAAA,oCAAA;AACzB,EAAA,OAAO,gBAAiB,CAAA,IAAA,CAAK,IAAI,CAAA,IAAK,KAAK,MAAU,IAAA,EAAA;AACvD;AAEA,SAAS,uBAAuB,SAA4B,EAAA;AAC1D,EAAA,MAAM,qBAAwB,GAAA,0BAAA;AAC9B,EAAA,OAAO,qBAAsB,CAAA,IAAA,CAAK,SAAS,CAAA,IAAK,UAAU,MAAU,IAAA,EAAA;AACtE;AAGgB,SAAA,uBAAA,CACd,WACA,IACmB,EAAA;AACnB,EAAA,IAAI,CAAC,SAAW,EAAA;AACd,IAAO,OAAA,IAAI,MAAM,CAAqC,mCAAA,CAAA,CAAA;AAAA;AAGxD,EAAI,IAAA,iBAAA;AACJ,EAAI,IAAA;AACF,IAAA,iBAAA,GAAoBC,4BAAe,SAAS,CAAA;AAAA,WACrC,GAAK,EAAA;AACZ,IAAO,OAAA,GAAA;AAAA;AAGT,EAAM,MAAA,aAAA,GAAgB,GAAG,iBAAkB,CAAA,IAAI,IAAI,iBAAkB,CAAA,SAAS,CAAI,CAAA,EAAA,iBAAA,CAAkB,IAAI,CAAA,CAAA;AACxG,EAAA,IAAI,kBAAkB,SAAW,EAAA;AAC/B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,qBAAqB,SAAS,CAAA,2GAAA;AAAA,KAChC;AAAA;AAGF,EAAI,IAAA,IAAA,IAAQ,iBAAkB,CAAA,IAAA,KAAS,MAAQ,EAAA;AAC7C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,kCAAA;AAAA,KAC5C;AAAA;AAGF,EACE,IAAA,iBAAA,CAAkB,SAAS,MAC3B,IAAA,iBAAA,CAAkB,SAAS,OAC3B,IAAA,iBAAA,CAAkB,SAAS,MAC3B,EAAA;AACA,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,iBAAA,EAAoB,kBAAkB,IAAI,CAAA,iDAAA;AAAA,KAC5C;AAAA;AAGF,EAAA,IAAI,CAAC,iBAAA,CAAkB,iBAAkB,CAAA,IAAI,CAAG,EAAA;AAC9C,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,UAAA,EAAa,kBAAkB,IAAI,CAAA,qIAAA;AAAA,KACrC;AAAA;AAGF,EAAA,IAAI,CAAC,sBAAA,CAAuB,iBAAkB,CAAA,SAAS,CAAG,EAAA;AACxD,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,eAAA,EAAkB,kBAAkB,SAAS,CAAA,yHAAA;AAAA,KAC/C;AAAA;AAGF,EAAO,OAAA,SAAA;AACT;AAEsB,eAAA,sBAAA,CACpB,WACA,EAAA,mBAAA,EACA,MAC4B,EAAA;AAC5B,EAAI,IAAA,WAAA,CAAY,WAAW,CAAG,EAAA;AAC5B,IAAO,OAAA,IAAI,MAAM,CAAmC,iCAAA,CAAA,CAAA;AAAA;AAGtD,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA;AAC5B,EAAI,IAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACxC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KACvE;AAAA;AAEF,EAAM,MAAA,MAAA,GAAS,YAAY,CAAC,CAAA;AAC5B,EAAA,GAAA,GAAM,wBAAwB,MAAM,CAAA;AACpC,EAAA,IAAI,GAAK,EAAA;AACP,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAmC,gCAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KACvE;AAAA;AAEF,EAAI,IAAA,MAAA,CAAO,UAAW,CAAA,CAAA,KAAA,CAAO,CAAG,EAAA;AAC9B,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,uDAAA;AAAA,KACzC;AAAA;AAEF,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,MAAA,CAAQ,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC9D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,gFAAA;AAAA,KACzC;AAAA;AAEF,EAAA,IAAI,OAAO,UAAW,CAAA,CAAA,KAAA,CAAO,KAAK,MAAO,CAAA,UAAA,CAAW,QAAQ,CAAG,EAAA;AAC7D,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,4BAA4B,WAAW,CAAA,8EAAA;AAAA,KACzC;AAAA;AAGF,EAAA,MAAM,QAAW,GAAA,MAAM,mBAAoB,CAAA,gBAAA,CAAiB,MAAM,CAAA;AAElE,EAAM,GAAA,GAAA,MAAM,cAAe,CAAA,MAAA,EAAQ,QAAQ,CAAA;AAC3C,EAAA,IAAI,YAAY,GAAK,EAAA;AACnB,IAAA,OAAO,IAAIC,sBAAA;AAAA,MACT,CAA2B,wBAAA,EAAA,WAAW,CAAY,SAAA,EAAA,GAAA,CAAI,OAAO,CAAA;AAAA,KAC/D;AAAA;AAGF,EAAO,OAAA,SAAA;AACT;AAEO,MAAM,yBAA4B,GAAA,OACvC,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,iBAAkB,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA;AAC/D,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,kBAAA,EAAqB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA;AAAA,KAC7D;AAAA;AAGF,EAAA,MAAM,gBAAmB,GAAA;AAAA,IACvB,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,OAAO,CAAC,CAAA;AAAA,IACR,MAAO,CAAA,CAAC,CAAM,KAAA,MAAA,GAAS,OAAU,GAAA;AAAA,GACnC;AAGA,EAAM,MAAA,sBAAA,GAAyB,MAAM,OAAQ,CAAA,iBAAA;AAAA,IAC3C,CAAA;AAAA,IACA,GAAG;AAAA,GACL;AAEA,EAAI,IAAA,sBAAA,CAAuB,SAAS,CAAG,EAAA;AACrC,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAqB,kBAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,CAAK,EAAA,EAAA,MAAA,CAAO,CAAC,CAAC,4CAA4C,UAAU,CAAA;AAAA,KAClH;AAAA;AAGF,EAAO,OAAA,SAAA;AACT;AAEO,MAAM,8BAAiC,GAAA,OAC5C,OACA,EAAA,MAAA,EACA,UAC+B,KAAA;AAC/B,EAAA,MAAM,aAAa,MAAM,OAAA,CAAQ,yBAA0B,CAAA,CAAA,EAAG,GAAG,MAAM,CAAA;AAEvE,EAAI,IAAA,UAAA,CAAW,SAAS,CAAG,EAAA;AACzB,IAAA,OAAO,IAAI,KAAA;AAAA,MACT,CAAA,gBAAA,EAAmB,MAAM,CAAA,mBAAA,EAAsB,UAAU,CAAA;AAAA,KAC3D;AAAA;AAEF,EAAO,OAAA,SAAA;AACT;;;;;;;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage-community/plugin-rbac-backend",
-  "version": "5.3.1",
+  "version": "5.4.0",
   "main": "dist/index.cjs.js",
   "types": "dist/index.d.ts",
   "license": "Apache-2.0",
@@ -34,17 +34,17 @@
     "postpack": "backstage-cli package postpack"
   },
   "dependencies": {
-    "@backstage-community/plugin-rbac-common": "^1.12.3",
-    "@backstage-community/plugin-rbac-node": "^1.8.4",
-    "@backstage/backend-defaults": "^0.5.2",
-    "@backstage/backend-plugin-api": "^1.0.1",
-    "@backstage/catalog-client": "^1.7.1",
-    "@backstage/catalog-model": "^1.7.0",
-    "@backstage/errors": "^1.2.4",
-    "@backstage/plugin-auth-node": "^0.5.3",
-    "@backstage/plugin-permission-backend": "^0.5.50",
-    "@backstage/plugin-permission-common": "^0.8.1",
-    "@backstage/plugin-permission-node": "^0.8.4",
+    "@backstage-community/plugin-rbac-common": "^1.13.0",
+    "@backstage-community/plugin-rbac-node": "^1.9.0",
+    "@backstage/backend-defaults": "^0.7.0",
+    "@backstage/backend-plugin-api": "^1.1.1",
+    "@backstage/catalog-client": "^1.9.1",
+    "@backstage/catalog-model": "^1.7.3",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/plugin-auth-node": "^0.5.6",
+    "@backstage/plugin-permission-backend": "^0.5.53",
+    "@backstage/plugin-permission-common": "^0.8.4",
+    "@backstage/plugin-permission-node": "^0.8.7",
     "@dagrejs/graphlib": "^2.1.13",
     "@janus-idp/backstage-plugin-audit-log-node": "^1.7.1",
     "casbin": "^5.27.1",
@@ -57,11 +57,11 @@
     "typeorm-adapter": "^1.6.1"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "1.0.2",
-    "@backstage/cli": "0.28.2",
-    "@backstage/config": "1.2.0",
-    "@backstage/core-plugin-api": "1.10.0",
-    "@backstage/types": "1.1.1",
+    "@backstage/backend-test-utils": "^1.2.1",
+    "@backstage/cli": "^0.29.5",
+    "@backstage/config": "^1.3.2",
+    "@backstage/core-plugin-api": "^1.10.3",
+    "@backstage/types": "^1.2.1",
     "@spotify/prettier-config": "^15.0.0",
     "@types/express": "4.17.21",
     "@types/knex": "^0.16.1",
@@ -105,5 +105,12 @@
     "*.{json,md}": [
       "prettier --write"
     ]
+  },
+  "typesVersions": {
+    "*": {
+      "index": [
+        "dist/index.d.ts"
+      ]
+    }
   }
 }